PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10, 2014 D R A F T
Not intended to: –Educate you on what PCI is Standard has been in effect since 2005 Info available on PCI Council’s website –Scare you into becoming PCI compliant Target and Home Depot sufficient examples Potential fines and loss of employment sufficient Intended to focus on responsibilities of the business office (Campus Controller) 2 PCI DSS Version 3.0 For Controllers and Business Users
PCI is a business problem, primarily with an IT solution –Vulnerability Scanning, Penetration Testing –Firewalls, encryption, software updates, etc. –Business should be familiar with various IT requirements However, some elements require the business office (campus controller) involvement –Ensuring/monitoring of service providers’ compliance –Physical protection of capture devices and cardholder data –Employee awareness training and attestation –Security Incident Response Plan and annual testing Coordination between IT and business staff critical 3 PCI DSS Version 3.0 For Controllers and Business Users Whose Responsibility is PCI?
Business-as-usual theme – Emphasis on being security aware on a continuous basis, not just once per year Clarification of some requirements, with added sub- requirements Required penetration testing, in addition to vulnerability scanning Physical protection of card capture devices Eight SAQs instead of four Version 3.0 Assessment Document 3.pdf 3.pdf 4 PCI DSS Version 3.0 For Controllers and Business Users What’s New – 3.0
Requires quarterly external vulnerability scanning of external IP addresses by an ASV Requires quarterly internal vulnerability scanning (Req. 11-2) – Can be performed internally After first year, four quarters of passing vulnerability scans must have occurred to be considered compliant Effective July 2015, requirement requires annual external and internal penetration tests to validate that segmentation methods are “operational and effective.” (Advanced hacker techniques to bypass security controls.) Business office should inquire of IT if vulnerability scanning and penetration testing is required/performed. 5 PCI DSS Version 3.0 For Controllers and Business Users Penetration Testing Vs. Scanning
9.9. Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution –New requirement effective July 2015 –Card reading devices for card-present transactions POS terminals –Required for swipe devices, but recommended for key devices such as keyboards and POS keypads 6 PCI DSS Version 3.0 For Controllers and Business Users Physical Protection of Devices
Maintain an up-to-date list of devices Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) Provide training for personnel to be aware of attempted tampering or replacement of devices –Verify the identity of any third-party persons claiming to be repair or maintenance personnel –Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices) 7 PCI DSS Version 3.0 For Controllers and Business Users Protection of Devices – Cont.
12.8. Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: – Maintain a list of service providers. – Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 8 PCI DSS Version 3.0 For Controllers and Business Users Service Providers
Ensure there is an established process for engaging service providers including proper due diligence prior to engagement Maintain a program to monitor service providers’ PCI DSS compliance status at least annually Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity 9 PCI DSS Version 3.0 For Controllers and Business Users Service Providers – cont’d
Target’s breach criticism was not responding timely Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: (Edited for business office) –Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands… –Analysis of legal requirements for reporting compromises –Reference or inclusion of incident response procedures from the payment brands Test the plan at least annually 10 PCI DSS Version 3.0 For Controllers and Business Users Security Incident Plan
Notify OSC immediately (within 24 hours) OSC will coordinate notification to card processor and the card brands Applicability of NC Identity Theft Act to be considered Campus’s legal council to be involved OSC will advise of timing of any press releases 11 PCI DSS Version 3.0 For Controllers and Business Users OSC’s Policy for Incident
12 PCI DSS Version 3.0 For Controllers and Business Users 12 Face-to-Face and MOTO OnlyeCommerce Only BPOS analog not connected to IP * ACard-not-present fully outsourced * B-IPPOS connected to IP * #A- EP Outsourced, but website redirect can impact security of payment * # C-VTVirtual Terminal IP, dedicated or segmented, and keyed only * # CPOS Software connected to IP, dedicated or segmented* # P2PE -HW POS hardware managed w/ Point to Point Encryption * DCardholder data is stored #DCardholder data is either processed, transmitted, or stored # Combination of Face-to-Face and eCommerce DAll merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) # * Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-
SAQ A and SAQ A-EP are for merchants that use eCommerce channels only (no face-to-face) Initial interpretation of standard was that a website that has a “redirect” to a payment gateway is required to prepare SAQ A- EP, which requires vulnerability scanning. May 2014 guidance document, however, clarifies that a “URL redirect” (e.g., TouchNet) can still use SAQ-A, if cardholder data is not entered on merchant’s website. However, if merchant also has face-to-face applications in addition to eCommerce, SAQ-D applies anyway 13 PCI DSS Version 3.0 For Controllers and Business Users SAQ A vs. SAQ A-EP
Under 3.0, SAQ required is determined –eCommerce channel only –Face-to-face and MOTO only –Combination of eCommerce and face-to-face Some campuses currently use SAQ-D and will continue to do so Most campuses currently using A, B, and C will now have to use SAQ-D, since combination SAQ-D should not scare you, as it has a column for N/A 14 PCI DSS Version 3.0 For Controllers and Business Users Impact of New SAQs
Appropriate SAQ will still be answered at the doing business as level or chain level OSC is in the middle of the RFP process and bids are currently being evaluated. Communication will be sent out to participants once an award is finalized. 15 PCI DSS Version 3.0 For Controllers and Business Users New Validation Portal
16 PCI DSS Version 3.0 For Controllers and Business Users Contact Information: David Reavis Office of Compliance and Audit Services UNC General Administration 140 Friday Center Drive Chapel Hill, NC Cell: Luke Harris Statewide Accounting North Carolina Office of the State Controller 1410 Mail Service Center Raleigh, NC Phone: